dusk

[Content by Gemini 2.5]

Ransomware Intelligence Brief – “DUSK” Variant

(File extension observed: .dusk)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmed extension: .dusk (lower-case)
  • Renaming convention:
  • Original → sample.docx
  • After encryption → sample.docx.id[XXXXXXXX].dusk
  • The “id[XXXXXXXX]” tag is a unique victim identifier generated from the MAC address or volume serial number; helps the affiliate panel credit the right criminal.
  • Folders receive a ransom note README_TO_RESTORE.txt (sometimes also HOW_TO_DECRYPT.hta dropped via a scheduled task).

2. Detection & Outbreak Timeline

  • First public submission: 2023-11-02 on ID-Ransomware / Malware-Bazaar.
  • Peak activity window: Dec-2023 through Q1-2024 (most prevalent in the EU & APAC MSP sector).
  • Still active but volume decreased after March-2024; new samples continue to be uploaded weekly.

3. Primary Attack Vectors

  1. Phishing with Qakbot / DarkGate follow-on – early stage uses ISO / ZIP / OneNote lures that side-load the initial loader.
  2. Exploit of vulnerable Citrix Netscaler / VMware ESXi – CVE-2023-3519, CVE-2023-20867, or unpathed RCE in publicly facing appliances.
  3. RDP brute-force / credential stuffing – after harvesting sessions from info-stealers marketplace.
  4. Living-off-the-land to reach domain controllers – WMI, PsExec, SharpShares; disables Windows Defender via Set-MpPreference.
  5. Encryptor payload:
  • Written in Rust (x64) → hard to detect, cross-platform builds exist for ESXi & Linux.
  • Hybrid cipher: ChaCha20 for bulk data, RSA-2048 to wrap the symmetric keys; keys are embedded & unique per campaign.
  • Encrypts local drives first, then network SMB shares, and finally deletes VSS shadow copies (vssadmin delete shadows /all /quiet).
  • Self-kill by clearing its own PE from disk and overwriting MFT records to hinder forensics.

Remediation & Recovery Strategies

1. Prevention

  • Patch external-facing services immediately—especially Citrix, VMware, Fortinet, and any 2023 CVE chain.
  • Disable SMBv1 company-wide; restrict lateral-movement paths (disable RDP when not required, use EDR network containment).
  • Enforce geo-IP blocks on RDP / VPN gateways; mandate 2FA / certificate-based auth.
  • Application whitelisting (WDAC / AppLocker) to prevent unsigned binaries in %TEMP% or C:\PerfLogs.
  • Segment networks and protect DC/backup VLANs with ACLs.
  • Application-level backups that are immutable (offline tape, WORM S3, hardened Linux repo with Append-Only).
  • Run “CanaryToken” shares (\\file-srv\dummycanary)—some DUSK affiliate crews scan admin shares alphabetically; a write-event on a honeypot share gives early alert.

2. Removal / Containment Playbook

  1. Isolate the patient-zero machine from network (pull cable / disable Wi-Fi).
  2. Power-off non-essential VMs via vCenter / Hyper-V manager—keeps RAM artefacts intact while stopping encryption.
  3. Collect triage: MFT, USN journal, AmCache, Event Logs (IDs 4624/4625, 4672), prefetch, and C:\ProgramData\readme_to_restore.txt.
  4. Scan with updated EDR signatures (family named “Ransom:Rust/Dusk” by Microsoft, “Trojan-Ransom.Dusk” by Kaspersky). Remove residual persistence:
  • Scheduled task \Microsoft\Windows\Application Experience\StartupCheck (drops the Rust binary).
  • Service named Updatesss pointing to C:\Windows\System32\drivers\svcss.exe.
  1. If DC is compromised, force a forest-wide password reset after you verify eradication; look for added GPOs pushing the malware EXE via logon scripts.

3. File Decryption & Recovery

  • Current status: No free decryptor exists – the criminals hold the RSA private half server-side.
  • Recovery paths:
  • Restore from offline backups after verifying they are not mounted at infection time (check README_TO_RESTORE.txt timestamp vs backup snapshot time).
  • Volume-shadow copy is usually wiped; carve C:\$LogFile and use PhotoRec to recover fragments of TXT, PDF, ZIP, SQL dump; good for small business docs, unlikely for large DBs.
  • Negotiation / paying the ransom: DUSK crew asks 0.8-1.2 BTC on average; even if paid, decryption is slow (single-threaded Rust decryptor). Law-enforcement strongly discourages payment.
  • Experimental: If the campaign reused an RSA keypair (one cluster in Jan-2024 apparently did), BruteRDP researchers have a private utility—submit a file pair (plain+encrypted) to NoMoreRansom to test.

4. Other Critical Information

  • Unique behaviours:
  • Drops a Kernel driver (dustpvd.sys, revoked certificate) to issue FSCTL_LOCK_VOLUME, bypassing file-in-use errors on open SQL/VM files. On reboot, the driver is removed → crashes larger DB restores.
  • Geo-fence: Rust stub enumerates keyboard layout; on 0x419 (RU) it exits without encrypting—typical of Eastern-Europian-origin crews.
  • Extortion page: Victims are listed on a hidden blog (“DuskLeaks”) and receive a five-day countdown before data publishing.
  • Broader impact: MSP-focused targeting has produced cascading outages—two regional European cloud partners lost customer ESXi farms (≈ 4,000 VMs), demonstrating how “mid-tier” actors can reach enterprise scale without writing zero-days.

Essential Tool & Patch Checklist

  • Microsoft Defender signature build 1.403.1209.0 or newer (detects Ransom:Rust/Dusk family).
  • CVE-2023-3519 hotfix for Netscaler ADC (build 13.1-49.13+).
  • VMware ESXi 7.0 U3t / 8.0 U2 or vendor patch for CVE-2023-20867.
  • Free incident-response ISO: download kape, Timeline Explorer, IPED for triage; ziggy/rust-demangle to inspect strings in the ELF/PE Rust payload.

Report any new .dusk samples to your national CERT and to NoMoreRansom – analysts pool code to find implementation flaws or reused keys that could unlock a universal decryptor.

Stay patched, stay segmented, and keep at least one truly offline backup. Dusk relies on speed through exposed edges—blocking that first foothold remains your strongest defense.